15 Feb 2019

Not Really a WordPress Plugin Vulnerability, Week of February 15

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Local File Inclusion Vulnerability in WP Staging

The report of a claimed local file inclusion vulnerability in the plugin WP Staging is the kind of strange report we have never understood what might be the explanation of, as you have someone subtly modifying real code from a plugin to present a very different situation from reality. [Read more]

24 Jun 2016

Arbitrary File Upload Vulnerability in Jssor Slider

Recently we have been finding a lot of vulnerabilities in WordPress plugins through monitoring our websites for what look to be requests related to hacking attempts. That has lead to these plugins either being fixed or pulled from the Plugin Directory so that more websites are not made vulnerable. Us getting the plugin removed from the Plugin Directory obviously doesn’t do anything for people already running it, so WordPress should final take up our suggestion to warn about the fact the they removed a plugin for a security issue. In the meantime even if you don’t use our service you can get warned about plugins like this with our Plugin Vulnerabilities plugin, since even without being signed up for the service you get warned about vulnerabilities in plugins we are seeing hacking attempts against.

We are always looking for ways we can improve our data collection so that we can provide our customers with the best data possible. To that end we are looking at ways we can gather more data like the kind that allowed us to catch those new vulnerabilities. In working on that we came across another vulnerability, one that indicates that others have not been doing this work. [Read more]